SourceFiles.org - Use the Source, Luke
Home | Register | News | Forums | Guide | MyLinks | Bookmark

Related Sites

Latest News
  General News
  Reviews
  Press Releases
  Software
  Hardware
  Security
  Tutorials
  Off Topic


Back to files

Release notes/quasi-documentation for tacshell-0.9 (29 October 2003)

Copyright 2002,2003 Christopher SEKIYA <wileyc@rezrov.net> portions copyright 1997-2000 by Pawel Krawczyk <kravietz@ceti.pl> TACACS+ definitions are Copyright (c) 1995-1998 by Cisco Systems, Inc. ACE/Server is a trademark of RSA Security Inc.

Q) What is tacshell?

  1. tacshell is a drop-in replacement for the RSA ACE/Server sdshell program, which allows UNIX shell authentication via a SecurID token.
  2. How does tacshell differ from sdshell?
  3. tacshell authenticates against an ACE/Server via the Cisco TACACS+ protocol whereas sdshell authenticates via a proprietary protocol.
  4. Why would I want to use tacshell instead of sdshell?
  5. Several reasons:
    • sdshell authentication breaks when the client is separated from the server by NATting (for instance, if the client is in a DMZ).
    • Source code for sdshell is not available, so it cannot be used in odd-ball UNIX boxen.
    • tacshell is much smaller than sdshell (~20k versus ~80k).
    • tacshell does not need suid root privileges.
    • tacshell doesn't have any buffer overflows or other nasties :)
  6. What operating systems does tacshell support?
  7. I've personally tested it on NetBSD-1.6 and Solaris 2.[68]. In theory it should run on any POSIX-compliant system that implements getpass() or getpassphrase().
  8. How do I deploy tacshell?
  9. Follow these steps (it is assumed that the target machine has a working C development environment):
    • ./configure
    • make
    • make install
    • copy /usr/local/etc/tacshell.conf-sample to /usr/local/etc/tacshell.conf and edit to suit.
    • edit the password file, making tacshell the target user's shell and nulling out their password.
    • ensure that the ACE/Server knows about the client machine. Machine type probably should be "communication server".
    • if per-user shell overrides are desired, place a "shell /path/to/shell" directive in ~/.tacshell
  10. tacshell doesn't work with openssh and solaris! What's wrong?
  11. You've probably configured tacshell's user shell to be bash and you're using the Sun-supplied bash package (i.e., bash-2.03). This version tests stdin/stdout -- if they aren't a socket, bash assumes that it is a noninteractive shell and effectively hangs. The solution is to use a newer version of bash.
  12. Why so many copyright notices?
  13. tacshell started life as tacc-1.6.5, writted by Pawel Krawczyk. The tacacs+ protocol implementation in tacc was extremely suboptimal (read: was terribly sick and wrong), so a project that originally started as a quick code retrofit was transformed into what amounted to be a complete rewrite. Some of Pawel's code is intact, so I preserved his copyright.
  14. So what license is the code under?
  15. GPL :)


Other Sites

Discussion Groups
  Beginners
  Distributions
  Networking / Security
  Software
  PDAs

About | FAQ | Privacy | Awards | Contact
Comments to the webmaster are welcome.
Copyright 2006 Sourcefiles.org All rights reserved.